On Patch Tuesday’s 10th birthday, Microsoft awards first $100,000 bounty to security researcher for new exploit

Microsoft today awarded $100,000 to security researcher James Forshaw for submitting a qualifying entry in the company’s Mitigation Bypass Bounty. $100,000 is the maximum payout figure that the company currently offers.

The payout means Microsoft has now paid out over $128,000 via its bounty programs, which launched only in June. Amusingly, just on Friday the company was highlighting having paid out a total of $28,000 to six security researchers for finding exploits in the preview version of Internet Explorer 11.

Forshaw was one of those six and his total compensations now amount to $109,400. He almost didn’t get the six-figure award:

Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.

Microsoft says it can’t go into the details of this new mitigation bypass technique that Forshaw discovered until it has been addressed. Nevertheless, the company says it is “excited” to be better able to protect customers by creating new defenses for future versions of its products because of the security researcher’s work.

“We’re thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering,” Katie Moussouris, senior security strategist lead of Microsoft Trustworthy Computing, said in a statement. “James’ entry will help us improve our platform-wide defenses and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues.”

The timing of today’s award couldn’t be more perfect. This month marks the 10th year anniversary of Microsoft’s security patching process, simply called Patch Tuesday. October 2013’s security bulletins are available here.